Escape ` and = when escaping HTML.
They can be used for nefarious purposes on old IEs. Refs wycats/handlebars.js@83b8e84
This commit is contained in:
@@ -15,7 +15,9 @@ public class Escapers
|
|||||||
{ "'", "'" },
|
{ "'", "'" },
|
||||||
{ "\"", """ },
|
{ "\"", """ },
|
||||||
{ "<", "<" },
|
{ "<", "<" },
|
||||||
{ ">", ">" }
|
{ ">", ">" },
|
||||||
|
{ "`", "`" },
|
||||||
|
{ "=", "=" }
|
||||||
});
|
});
|
||||||
|
|
||||||
/** An escaper that does no escaping. */
|
/** An escaper that does no escaping. */
|
||||||
|
|||||||
@@ -283,10 +283,11 @@ public abstract class SharedTests extends GWTTestCase
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test public void testEscapeHTML () {
|
@Test public void testEscapeHTML () {
|
||||||
check("<b>", Mustache.compiler().compile("{{a}}").
|
check("<b>", Mustache.compiler().compile("{{a}}").execute(context("a", "<b>")));
|
||||||
execute(context("a", "<b>")));
|
|
||||||
check("<b>", Mustache.compiler().escapeHTML(false).compile("{{a}}").
|
check("<b>", Mustache.compiler().escapeHTML(false).compile("{{a}}").
|
||||||
execute(context("a", "<b>")));
|
execute(context("a", "<b>")));
|
||||||
|
// ensure that some potential XSS enablers are escaped
|
||||||
|
check("`=", Mustache.compiler().compile("{{a}}").execute(context("a", "`=")));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test public void testUserDefinedEscaping() {
|
@Test public void testUserDefinedEscaping() {
|
||||||
|
|||||||
Reference in New Issue
Block a user